如何使用 Cloud Armor 对 firebase function 进行速率限制
[英]How to rate limit a firebase function with Cloud Armor
问题描述
I have one cloud function (firebase function) which is public accessible and I would like to rate limit this function with the help of Google Cloud Armor.
我有一个可公开访问的云 function(firebase 功能),我想在 Google Cloud Armor 的帮助下限制此 function 的速率。
However this does not seem like a trivial task as I thought, I could not find much documentation on setting up something like this.然而,这似乎不像我想的那样是一项微不足道的任务,我找不到太多关于设置这样的东西的文档。
This document illustrate exactly what I need but does not provide any guidance to set this up for a cloud function.本文档准确说明了我需要什么,但没有提供任何指导来为云 function 进行设置。
When I try to add a Cloud Armor Policy in the GCP console I even can not add a target当我尝试在 GCP 控制台中添加 Cloud Armor 策略时,我什至无法添加目标
I am on the Standard (not Managed Protection Plus) Plan but I think this should be fine.我使用的是标准(不是 Managed Protection Plus)计划,但我认为这应该没问题。
3 个解决方案
解决方案1
0 2021-12-02 14:19:49
Cloud Armor does not support rate limiting Cloud Functions. Cloud Armor 不支持速率限制 Cloud Functions。 You should instead use maxInstances option directly within cloud functions.您应该直接在云函数中使用maxInstances选项。 This will allow you to control the simultaneous execution of the function.这将允许您控制 function 的同时执行。
If an HTTP function is scaled up to the maxInstances limit, new requests are queued for 30 seconds and then rejected with a response code of 429 Too Many Requests if no instance is available by then.
解决方案2
0 2021-12-02 15:41:58
Cloud Armor is a WAF, Web Application Firewall to filter the traffic at the Application level of the OSI layers. Cloud Armor是一个WAF,Web应用防火墙,用于过滤OSI层的应用级别的流量。 It's not a rate limiter or authentication layer.它不是速率限制器或身份验证层。
For that you need to add an API management layer that allow you to authenticate and rate limit the API.为此,您需要添加允许您对 API 进行身份验证和速率限制的 API 管理层。 API Gateway can do that, but only based on an API key. API 网关可以做到这一点,但仅基于 API 密钥。 If the user doesn't use API key, it's a common pool that is rate limited and a spammer can create an unavailability of the service by consuming all the quotas everytime.如果用户不使用 API 密钥,则它是一个受速率限制的公共池,垃圾邮件发送者可以通过每次消耗所有配额来创建服务不可用。
APIGee is the other solution, but it's entreprise grade (with an entreprise grade billing plan). APIGee 是另一种解决方案,但它是企业级的(带有企业级计费计划)。
Or, if it's for protecting your money, you can limit the number of function instances thanks to the great answer of Kunal Deo.或者,如果是为了保护您的资金,由于 Kunal Deo 的出色回答,您可以限制 function 实例的数量。
解决方案3
0 2021-12-05 12:44:53
Note that the solution provided before (only an API gateway) will provide rate limit at a service/application level if all users from that service use the same API key.请注意,如果该服务的所有用户使用相同的 API 密钥,则之前提供的解决方案(仅 API 网关)将在服务/应用程序级别提供速率限制。 A single user could deplete your entire quote and block function execution from other users.单个用户可能会耗尽您的整个报价并阻止其他用户执行 function。
If you need rate-limit by IP address (or similar), you could:如果您需要 IP 地址(或类似地址)的速率限制,您可以:
- Make your function private (no invoke privileges for allUsers or allAuthenticatedUsers, only to a service account).将您的 function 设为私有(对 allUsers 或 allAuthenticatedUsers 没有调用权限,仅对服务帐户)。 You can put an API Gateway in front of your functions if you'd like.如果您愿意,可以在函数前面放置一个 API 网关。
- Use a Load Balancer in front of your functions (serverless NEG) or your API gateway.在您的函数(无服务器 NEG)或 API 网关之前使用负载均衡器。 The LB must have invoke privileges using the service account LB 必须具有使用服务帐户的调用权限
- Add Cloud Armor to protect the Load Balancer and rate limit it.添加 Cloud Armor 以保护负载均衡器并对其进行速率限制。
At least from reading the docs, it should work:至少从阅读文档来看,它应该可以工作:
https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless
https://cloud.google.com/armor/docs/rate-limiting-overview https://cloud.google.com/armor/docs/rate-limiting-overview
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.